diff options
| author | Dimitri John Ledkov <xnox@ubuntu.com> | 2020-05-19 18:20:39 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2020-05-20 15:10:44 +0200 |
| commit | 45fa3f18adf57ef9d743038743d9c90573aeeb91 (patch) | |
| tree | bb23b4ce9517ad2a547828e2712fc9ae3a61d8e7 | |
| parent | 9f3b410006956c59896034bb790b20e655f8b4cb (diff) | |
| download | busybox-w32-45fa3f18adf57ef9d743038743d9c90573aeeb91.tar.gz busybox-w32-45fa3f18adf57ef9d743038743d9c90573aeeb91.tar.bz2 busybox-w32-45fa3f18adf57ef9d743038743d9c90573aeeb91.zip | |
wget: implement TLS verification with ENABLE_FEATURE_WGET_OPENSSL
When ENABLE_FEATURE_WGET_OPENSSL is enabled, correctly implement TLS
verification by default. And only ignore verification errors, if
--no-check-certificate was passed.
Also note, that previously OPENSSL implementation did not implement
TLS verification, nor printed any warning messages that verification
was not performed.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1879533
CVE-2018-1000500
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/wget.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/networking/wget.c b/networking/wget.c index f2fc9e215..6a8c08324 100644 --- a/networking/wget.c +++ b/networking/wget.c | |||
| @@ -91,6 +91,9 @@ | |||
| 91 | //config: patches, but do want to waste bandwidth expaining how wrong | 91 | //config: patches, but do want to waste bandwidth expaining how wrong |
| 92 | //config: it is, you will be ignored. | 92 | //config: it is, you will be ignored. |
| 93 | //config: | 93 | //config: |
| 94 | //config: FEATURE_WGET_OPENSSL does implement TLS verification | ||
| 95 | //config: using the certificates available to OpenSSL. | ||
| 96 | //config: | ||
| 94 | //config:config FEATURE_WGET_OPENSSL | 97 | //config:config FEATURE_WGET_OPENSSL |
| 95 | //config: bool "Try to connect to HTTPS using openssl" | 98 | //config: bool "Try to connect to HTTPS using openssl" |
| 96 | //config: default y | 99 | //config: default y |
| @@ -115,6 +118,9 @@ | |||
| 115 | //config: If openssl can't be executed, internal TLS code will be used | 118 | //config: If openssl can't be executed, internal TLS code will be used |
| 116 | //config: (if you enabled it); if openssl can be executed but fails later, | 119 | //config: (if you enabled it); if openssl can be executed but fails later, |
| 117 | //config: wget can't detect this, and download will fail. | 120 | //config: wget can't detect this, and download will fail. |
| 121 | //config: | ||
| 122 | //config: By default TLS verification is performed, unless | ||
| 123 | //config: --no-check-certificate option is passed. | ||
| 118 | 124 | ||
| 119 | //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) | 125 | //applet:IF_WGET(APPLET(wget, BB_DIR_USR_BIN, BB_SUID_DROP)) |
| 120 | 126 | ||
| @@ -124,8 +130,11 @@ | |||
| 124 | //usage: IF_FEATURE_WGET_LONG_OPTIONS( | 130 | //usage: IF_FEATURE_WGET_LONG_OPTIONS( |
| 125 | //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" | 131 | //usage: "[-c|--continue] [--spider] [-q|--quiet] [-O|--output-document FILE]\n" |
| 126 | //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" | 132 | //usage: " [-o|--output-file FILE] [--header 'header: value'] [-Y|--proxy on/off]\n" |
| 133 | //usage: IF_FEATURE_WGET_OPENSSL( | ||
| 134 | //usage: " [--no-check-certificate]\n" | ||
| 135 | //usage: ) | ||
| 127 | /* Since we ignore these opts, we don't show them in --help */ | 136 | /* Since we ignore these opts, we don't show them in --help */ |
| 128 | /* //usage: " [--no-check-certificate] [--no-cache] [--passive-ftp] [-t TRIES]" */ | 137 | /* //usage: " [--no-cache] [--passive-ftp] [-t TRIES]" */ |
| 129 | /* //usage: " [-nv] [-nc] [-nH] [-np]" */ | 138 | /* //usage: " [-nv] [-nc] [-nH] [-np]" */ |
| 130 | //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." | 139 | //usage: " [-P DIR] [-S|--server-response] [-U|--user-agent AGENT]" IF_FEATURE_WGET_TIMEOUT(" [-T SEC]") " URL..." |
| 131 | //usage: ) | 140 | //usage: ) |
| @@ -137,7 +146,9 @@ | |||
| 137 | //usage: "Retrieve files via HTTP or FTP\n" | 146 | //usage: "Retrieve files via HTTP or FTP\n" |
| 138 | //usage: IF_FEATURE_WGET_LONG_OPTIONS( | 147 | //usage: IF_FEATURE_WGET_LONG_OPTIONS( |
| 139 | //usage: "\n --spider Only check URL existence: $? is 0 if exists" | 148 | //usage: "\n --spider Only check URL existence: $? is 0 if exists" |
| 140 | ///////: "\n --no-check-certificate Don't validate the server's certificate" | 149 | //usage: IF_FEATURE_WGET_OPENSSL( |
| 150 | //usage: "\n --no-check-certificate Don't validate the server's certificate" | ||
| 151 | //usage: ) | ||
| 141 | //usage: ) | 152 | //usage: ) |
| 142 | //usage: "\n -c Continue retrieval of aborted transfer" | 153 | //usage: "\n -c Continue retrieval of aborted transfer" |
| 143 | //usage: "\n -q Quiet" | 154 | //usage: "\n -q Quiet" |
| @@ -662,7 +673,7 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | |||
| 662 | pid = xvfork(); | 673 | pid = xvfork(); |
| 663 | if (pid == 0) { | 674 | if (pid == 0) { |
| 664 | /* Child */ | 675 | /* Child */ |
| 665 | char *argv[8]; | 676 | char *argv[9]; |
| 666 | 677 | ||
| 667 | close(sp[0]); | 678 | close(sp[0]); |
| 668 | xmove_fd(sp[1], 0); | 679 | xmove_fd(sp[1], 0); |
| @@ -689,6 +700,9 @@ static int spawn_https_helper_openssl(const char *host, unsigned port) | |||
| 689 | argv[5] = (char*)"-servername"; | 700 | argv[5] = (char*)"-servername"; |
| 690 | argv[6] = (char*)servername; | 701 | argv[6] = (char*)servername; |
| 691 | } | 702 | } |
| 703 | if (!(option_mask32 & WGET_OPT_NO_CHECK_CERT)) { | ||
| 704 | argv[7] = (char*)"-verify_return_error"; | ||
| 705 | } | ||
| 692 | 706 | ||
| 693 | BB_EXECVP(argv[0], argv); | 707 | BB_EXECVP(argv[0], argv); |
| 694 | xmove_fd(3, 2); | 708 | xmove_fd(3, 2); |